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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


O Yes 


x] No 


Q2 If not, please specify where improvements could be made. 


Although quite comprehensive, the code does not draw on the scenario 
where a public authority shares data with a private company for the 
same lawful basis. For example, a local authority will use the fostering 
regulations as the lawful basis for processing the special category 
information of young people in care. Independent fostering agencies 
have been created in response to legal statute and process special 
category information of young people and foster carers for the same 
lawful basis. The data relationships are many-to-many; the local 
authority will share information with many fostering agencies and 
fostering agencies will share information with many local authorities. 
Therefore, the position is one of ‘joint controllers’ where the sum of the 
combined information is collected, controlled, managed and processed 
by both parties for the same lawful basis. 


The scenarios that you have presented allow for public to public data 
sharing and private body to private body data sharing, but do not make 
clear the relationships between public and private bodies sharing 
information for the same lawful basis. 
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Q3 Does the draft code cover the right issues about data sharing? 


O Yes 


x] No 


Q4 ___siIf no, what other issues would you like to be covered in it? 


Our experience is that social and health care, which although an area 
mentioned is not explained in sufficient detail. Local authorities do not 
manage information, contract or sharing agreements in a uniform 
manner, which presents a significant challenge to their private body 
partners to manage information under their control in a uniform way. 
Consequently, guidance which sets out that similar types of information 
derived from different sources must be managed in compliance with the 
strongest required controls would not only be exceedingly helpful but 
would clarify the required approach where such relationships exist. 


Q5 Does the draft code contain the right level of detail? 


x] Yes 


O No 


Q6__—siIf no, in what areas should there be more detail within the draft 
code? 
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Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


O Yes 


x] No 


Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


As stated above, the relationships between public and private bodies 
controlling the same information for the same lawful basis is 
underrepresented in the code. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


O Yes 


xl No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 
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In the section relating to security, the code makes no reference to 
appropriate certifications. The UK Government’s National Centre for 
Cyber Security runs the Cyber Essentials certification scheme, which 
would be useful to mention as a desired minimum standard. A reference 
to ISO 27001 certification (Information Security Management) for larger 
organisations would also indicate good practice. 


Either obtaining these certifications or seeking them from data sharing 
partners would provide useful assurance indicators of robust data 
management and that cyber security is taken seriously. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


x] Yes 


O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


O Yes 


x] No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 
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As stated above, more guidance around joint controllers and the data 
sharing activities between public and private bodies would prove useful. 
The core elements you have covered such as marketing, consent, DPIAs 
etc are very well explained but the less common use cases as outlined 
above would be of significant benefit in untangling a complex area of 
data sharing. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


Strongly agree 
Agree 


Disagree 


Xx] 
O 
O Neither agree nor disagree 
O 
O 


Strongly disagree 
Q1i6 Are you answering as: 


L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


CL] An individual acting in a professional capacity 
X On behalf of an organisation 


O Other 


Please specify the name of your organisation: 


Guardian Saints CiC 


Thank you for taking the time to share your views and experience. 


